Cybersecurity Requirements for the Grants Community

Last week’s headlines about the cybersecurity breach at Anthem, one of the largest healthcare providers, may have some of us taking steps to ensure that our identities are not at risk for exposure. Aside from any personal concerns related to Anthem, leaders in the grants community should consider this breach a reminder to examine their own internal controls, ensuring that their organizations have policies and processes in place to protect their systems.

One of the many changes included in the Uniform Guidance (2 CFR 200) implemented in December 2014 is the provision at 2 CFR 200.303 to safeguard Personally Identifiable Information (PII) or other sensitive information. When I first saw this clause in draft form, I was struck that this cybersecurity provision is highlighted. The rest of the internal controls clause reads like a catch-all for abiding by all “statutes, regulations, and the terms and conditions” that could not be included in the Uniform Guidance. This focus on protecting PII reflects the importance that the Federal government has put on addressing cybersecurity issues affecting all aspects of our lives.

What is PII? PII means information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual. (2 CFR 200.79)

Protected PII means an individual’s first name or first initial and last name in combination with any one or more of types of information, including, but not limited to, social security number, passport number, credit card numbers, clearances, bank numbers, biometrics, date and place of birth, mother’s maiden name, criminal, medical and financial records, educational transcripts. This does not include PII that is required by law to be disclosed. (See also §200.79 Personally Identifiable Information (PII)). (2 CFR 200.82)

If you and your organization have not already put safeguards in place to protect PII and other sensitive information, or you’re just not sure what’s been done, start with the following:

Set up a meeting with your IT team. Depending on the size and scale of your organization, this could be the Chief Technology Officer or a tech-savvy volunteer. In either case, you should have a frank discussion on the cybersecurity measures already in place, if any.

Develop an internal controls document. Since this provision falls under internal controls, you should document the policies and actions for safeguarding Protected PII and other sensitive information for your organization. This internal control document should include the mitigation activities your organization would take should a breach in your safeguarding measures occur. Your internal controls should also include a procedure for notifying your Federal awarding agency of any breaches to avoid noncompliance issues.

Increase awareness. The first step of becoming cyber-aware is often taking the time to be reminded of what many will consider common sense. Fortunately, there are many free resources available for those without the ability to do their own in-house training. The U.S. Computer Emergency Readiness Team (CERT) maintains an extensive resources page. The Texas A&M Engineering Extension Service (TEEX) offers several free introductory courses as well.

We will continue to highlight specific provisions in the Uniform Guidance during the coming months. Detailed Uniform Guidance update information is also found in Federal Grants Update 2015.